Menu
Browse

Cyber Threat Actor: DetoxRansome

Actor Type Location Known Incidents
 Icon
Criminal
Romania
1 incident
Profile

DetoxRansome is thealias used by a threat actor known to have originated in Romania. The actor first came to public attention in mid‑2015 when they claimed responsibility for a breach of the anti‑virus company BitDefender. Public sources describe the individual as operating alone, with no indication of membership in a larger criminal group or state‑sponsored unit. The actor’s online persona is tied to the handle DetoxRansome, which appeared in extortion communications and data leak announcements. No further biographical details such as age, real name, or affiliated organizations have been disclosed in open reporting.

DetoxRansome’s observed activity focuses on compromising cloud‑based services of technology firms, particularly those that manage customer credentials. The actor’s primary objective appears to be financial gain through extortion, as demonstrated by a demand for a $15,000 payment before threatening to release stolen data. The targeting pattern includes small and medium business customers of the victim, with a subset of those accounts using government‑associated email domains. The actor exploited a vulnerability in a public cloud application component to gain access to unencrypted usernames and passwords stored on the victim’s servers. After obtaining the credentials, the actor claimed control of two cloud servers and asserted that the stolen logins were not encrypted, using this claim to pressure the victim into paying the ransom. The most publicly documented operation attributed to DetoxRansome occurred on July 24, 2015, when the actor breached BitDefender’s public cloud offering and extracted credentials for less than one percent of the company’s SMB customer base. The leaked data contained over 250 plaintext username‑password pairs, some belonging to addresses with .gov suffixes, indicating that government‑linked accounts were among those exposed. Following the breach, the actor attempted to extort BitDefender, released a portion of the data when the ransom was not paid, and subsequently faced a law‑enforcement investigation that examined the incident. Attribution to DetoxRansome rests solely on the alias used in the extortion emails and the hacker’s self‑identification in communications with journalists; no additional ties to state actors, criminal syndicates, or other malware families have been established in open sources. The case remains a singular example of the actor’s known capability to leverage cloud misconfigurations for credential theft and monetary extortion.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
1 source